APRA CPS 234: How to Ensure Vendor and Contract Compliance

Australian Prudential Standard CPS 234 Information Security was created to enhance resilience around security incidents. It focuses mainly on cyber attacks for APRA-regulated entities that need to maintain information security capabilities to protect their organisation and customers.

You’ll want to consider this alongside your APRA CPS 230 requirements.

For vendor-facing teams, you likely provide your vendors with sensitive information or that they control swathes of information in the services performed.

The likelihood of cyber attacks in a supply chain is high.

According to a Security Scorecard and the Cyentia Institute report, 98% of companies have had one of their vendors breached in the last two years. The National Cyber Security Centre (NCSC) also emphasises the importance of understanding supply chains to mitigate cyber risk.

In this article, I’ll explore how we can utilise a Vendor and Contract Lifecycle Management (VCLM) platform and methodology to ensure your vendors and the wider supply chain are CPS 234 compliant.

Enhance Vendor Governance for CPS 234 Compliance

A good starting point is to look at your existing vendor controls and governance capabilities. CPS 234 is a collaborative requirement.

You’ll likely need your teams aligned on the strategy across:

• IT Leadership
• Risk Leadership
• Procurement Leadership
• Legal Leadership
• InfoSec Leadership

One way to enhance your approach is to create a committee with stakeholders from each team to oversee CPS 234 requirements.

I regularly attended and was part of a risk committee during my time in FinTech. We were able to cover just about every regulatory, legislative, and “other” scenario that the organisation may face and build out ways of working across multiple teams to manage it.

Building a 'Responsible, Accountable, Consulted, and Informed' (RACI) chart for CPS 234 makes sense to ensure everyone is clear on their responsibilities and accountabilities, and this seems to go hand-in-hand with Section 14 requirements, which state:

“An APRA-regulated entity must clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions”.

Governing bodies also allude to committees such as those I’ve mentioned, so having a clear committee policy, with chairs, scribes, and all that good stuff, is necessary.

Once you’ve implemented this, you’ll have a forum to discuss and collaborate. More importantly, it forces all the issues into a single melting pot.

CPS 234 Compliance for Vendor-Facing Teams

CPS 234 has several requirements that vendor-facing teams will need to consider. I’ve highlighted the extent of the requirements in this summary of the original text. Entities must:

1. Maintain an information security capability commensurate with the size and extent of threats to their information assets (Section 15).
   
   
2. Implement controls to protect information assets and undertake systematic testing and assurance regarding the effectiveness of those controls (Section 27)
   
   
3. Notify APRA of material information security incidents as soon as possible and no later than 72 hours (Section 35 will have a bearing on your vendor contracts around notifications)
   
   
4. Assess the information security capability of related or third parties managing information assets commensurate with potential consequences of an information security incident affecting those assets (Section 16 and Section 1 for Due Diligence).
   
   
5. Actively maintain information security capability concerning changes in vulnerabilities and threats, including those resulting from changes to information assets or business environment (Section 17)
   
   
6. Classify information assets, including those managed by related parties and third parties, by criticality and sensitivity (Section 20).
   
   
7. Implement information security controls to protect information assets, including those managed by related parties and third parties that are commensurate with vulnerabilities and threats, the criticality and sensitivity of the information assets, the stage at which the information assets are within their life-cycle, and the potential consequences of an information security incident (Section 21).
   
   
8. Have plans to respond to information security incidents and manage all relevant stages of an incident, from detection to post-incident review (Sections 23-26).
   
   
9. Annually review and test its information security response plans to ensure they remain adequate and fit for purpose (Section 27 and Section 31 in particular).
   
   
10. Information security audits must review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (Section 32).

As you can see, there are many "vendor-facing” requirements here that we need to manage.

I’ll walk you through using Gatekeeper’s VCLM platform to become APRA CPS 234 compliant.

How you can address your vendor and contract challenges for CPS 234

I’m going to focus on several areas here:

• How to manage your CPS 234 requirements via vendor onboarding and due diligence
• Contract Review digital workflows to ensure you put in place CPS 234-compliant contracts.
• Utilising a vendor portal so that you have critical contacts for incidents documented

Vendor Due Diligence for CPS 234 Compliance

Using a vendor onboarding best practice workflow, you can get up and running with CPS 234 compliance speedily.

Within the Gatekeeper vendor onboarding workflow, you can create a set of CPS 234 due diligence questions. Likely, you’ll already have some relevant questions. These questions will focus on:

• Information Security Management
• Incident Management Process
• Business Continuity and Disaster Recovery
• A Vendor RACI for people in the organisation responsible for Information Security Management and Incident Management
• Audit process

This data can be stored, accessed, and viewed in reporting to give you complete visibility and control over your CPS 234 compliance requirements.

Vendor Contracts for CPS 234

The best way to ensure contract compliance is through a digital workflow. By utilising Gatekeeper’s contract review best practice workflow, you can manage:

• Contract Intake
• Triage
• Review
• Redlines
• Negotiation
• Approvals
• Signature

Ensure you have clauses in your contracts around the following:

• Incident management and the need to be notified immediately of an information security incident: You’d likely want to mirror the 72-hour language from section 35, but I suggest you seek specialist legal advice from your General Counsel or external counsel on that matter.
• Vulnerability management and updates.
• Audit requirements for you to access the vendor’s premises, people, and operations for contract compliance.
• Confidentiality provisions around information assets.

You can use the contract review workflow to capture this information and ensure it’s all in place before the contract signature. That way, every vendor contract achieves 100% CPS 234 compliance.

Vendor Portal for CPS 234 Compliance

An under-appreciated solution to vendor compliance requirements is having a vendor portal so that your vendors can communicate and collaborate with you securely.

You’ll be able to create a vendor portal account for your vendors, invite relevant vendor users and collaborate with them.

You’ll have all your vendor personnel responsible for incident management in one place.

Your vendors can update you on matters via the portal, update their information, and provide up-to-date documents such as their Information Security Management Strategy documentation as needed upon expiration of the current version.

Closing Thoughts 

CPS 234 will require vendor management to play its part in assisting the wider business. I don’t see this as something vendor-facing teams will necessarily lead on, but you will ensure your organisation complies.

Utilising a VCLM approach might be the perfect way to ensure that your vendors, their contracts, and their risk profiles are suitable for your compliance requirements.